Multi-role unlocking of a data storage device

ABSTRACT

Disclosed herein is a data storage device comprising a data path, an access controller, and a data store. The data path comprises a data port configured to transmit data between a host computer system and the data storage device; a non-volatile storage medium configured to store encrypted user content data; and a cryptography engine connected between the data port and the storage medium and configured to use a cryptographic key to decrypt the encrypted user content data stored on the storage medium in response to a request from the host computer system. The access controller is configured to store on the data store multiple entries associated with multiple respective registered devices. The multiple entries comprise authorization data indicative of cryptographic keys that selectively provide user access or manager access for each of the multiple registered devices.

TECHNICAL FIELD

This disclosure relates to a data storage device that can be locked andunlocked.

BACKGROUND

Encryption of data enables relatively secure storage on data storagedevices, such as block data storage devices connectable via a UniversalSerial Bus (USB) cable. However, the user experience is oftendisappointing because the setup of passwords, keys and the like iscumbersome and complicated for technically unskilled users. Ifencryption is used, the keys and passwords are too often storedinsecurely. As a result, many users leave existing encryption technologyeffectively unused resulting in exposed confidential data.

Further, management of data storage devices is more efficient and moresecure if multiple roles are defined, such as user roles with restrictedaccess and manager roles with full access. However, common solutionsused in operating systems, such as access control lists based on log-incredentials, are impractical for data storage devices that are movedbetween different host computer systems. It would be desirable to definemultiple roles internally in the data storage device without use of anexternal operating system and access control lists.

SUMMARY

This disclosure provides a data storage device that enables thedefinition of multiple roles for unlocking and configuring the datastorage device based on cryptographic keys stored on the data storagedevice. The cryptographic keys are different between authorized devicesand manager devices. The cryptographic key (“user key”) provided inresponse to a connection from an authorized device enables decryption ofuser content data stored on the data storage device but does not enablereading other devices' configuration data. The cryptographic key(“manager key”) provided in response to a connection from a managerdevice enables decryption of user content data stored on the datastorage device and enables reading the configuration data.

Disclosed herein is a data storage device comprising a data path, anaccess controller, and a data store. The data path comprises a data portconfigured to transmit data between a host computer system and the datastorage device; a non-volatile storage medium configured to storeencrypted user content data; and a cryptography engine connected betweenthe data port and the storage medium and configured to use acryptographic key to decrypt the encrypted user content data stored onthe storage medium in response to a request from the host computersystem. The access controller is configured to store on the data storemultiple entries associated with multiple respective registered devices.The multiple entries comprise authorization data indicative ofcryptographic keys that selectively provide user access or manageraccess for each of the multiple registered devices.

In some embodiments, the user access enables decryption of the encrypteduser content data; and restricts reading of authorization dataassociated with other registered devices.

In some embodiments, the manager access enables decryption of theencrypted user content data; and enables reading of authorization dataassociated with other registered devices.

In some embodiments, each entry comprises authorization data indicativeof a user key to provide user access or indicative of a manager key toprovide manager access.

In some embodiments, each entry comprises a key field that stores theauthorization data indicative of only one of the user key and themanager key.

In some embodiments, the user key is derivable through a one-wayfunction from the manager key.

In some embodiments, the manager key enables reading of authorizationdata associated with other registered devices; and the user key,derivable from the manager key, enables decryption of the encrypted usercontent data.

In some embodiments, the user key is identical for multiple entries thatprovide user access.

In some embodiments, the manager key is identical for multiple entriesthat provide manager access.

In some embodiments, the authorization data of each of the multipleentries is encrypted based on a private key stored on one of themultiple registered devices associated with that entry.

In some embodiments, the private key is different for each of themultiple registered devices.

In some embodiments, each entry that provides user access comprisesencrypted metadata that is encrypted by a metadata encryption key; themetadata encryption key is based on the secret key stored on each of themultiple registered devices and is different for each entry; and themetadata encryption key is stored in that entry encrypted based on themanager key to provide access to the metadata in response to obtainingthe manager key.

In some embodiments, the access controller is further configured togenerate a challenge for one of the multiple registered devices; sendthe challenge to the one of the multiple registered devices over acommunication channel that is different from the data path; receive aresponse to the challenge from the one of the multiple registeredauthorized device over the communication channel; and decrypt, based atleast partly on the response, the authorization data to obtain an accesskey that is one of a manager key that provides manager access, and auser key that provides user access.

In some embodiments, the challenge is based on the authorization data.

In some embodiments, the challenge is based on a public key of the oneof the multiple registered devices.

In some embodiments, the access controller is configured to encrypt thecryptographic keys to generate the authorization data.

In some embodiments, the access controller is further configured toperform the following steps for each of the multiple entries: generatean ephemeral private key and a corresponding ephemeral public key;encrypt the cryptographic key based on the ephemeral private key and aunlocking public key corresponding to an unlocking private key stored onthe respective registered device; discard the ephemeral private key; andstore the ephemeral public key and the unlocking public key.

In some embodiments, the data storage device is configured to registerwith the host computer system as a block data storage device.

There is further disclosed a method for providing access to a datastorage device that comprises a data store. The method comprisesstoring, on the data store, multiple entries associated with multiplerespective registered devices, wherein the multiple entries compriseauthorization data indicative of cryptographic keys that selectivelyprovide user access or manager access for each of the multipleregistered devices; connecting with one of the multiple registereddevices; selecting one of the multiple entries that is associated withthe connected registered device; and enabling use of one of thecryptographic keys of the selected one of the multiple entries toprovide user access or manager access for the one of the multipleregistered devices.

There is also disclosed a data storage device comprising means forstoring, on a data store, multiple entries associated with multiplerespective registered devices, wherein the multiple entries compriseauthorization data indicative of cryptographic keys that selectivelyprovide user access or manager access for each of the multipleregistered devices; means for connecting with one of the multipleregistered devices; means for selecting one of the multiple entries thatis associated with the connected registered device; and means forenabling use of one of the cryptographic keys of the selected one of themultiple entries to provide user access or manager access for the one ofthe multiple registered devices.

BRIEF DESCRIPTION OF DRAWINGS

A non-limiting example will now be described with reference to thefollowing drawings:

FIG. 1 illustrates a data storage device, according to an embodiment.

FIG. 2 illustrates a section of the configuration memory of the datastorage device of FIG. 1, according to an embodiment.

FIG. 3 illustrates a control flow between the authorized device and theaccess controller of FIG. 1, according to an embodiment.

FIG. 4 illustrates a certificate issued by the data storage device andsent by the authorized device to the data storage device to unlock thedata storage device, according to an embodiment.

FIG. 5 illustrates a method for providing access to a data storagedevice, according to an embodiment.

DESCRIPTION OF EMBODIMENTS

FIG. 1 illustrates a data storage device (DSD) 100 comprising a datapath 101 and an access controller 102, according to an embodiment. Thedata path 101 comprises a wire-based data port 103, which is provided inFIG. 1 by a USB bridge, for transmission of data between a host computersystem 104 and the DSD 100. In other embodiments, the data path 101comprises a wireless data port (not shown) for wireless transmission ofdata between the host computer system 104 and the DSD 100. The DSD 100registers with the host computer system 104 as a mass data storagedevice providing the functionality to the operating system of the hostcomputer system 104 of a block data storage device. DSD 100 furthercomprises a non-transitory storage medium 105 to store encrypted usercontent data, noting that the user content data is the data that a userwould typically want to store on a DSD, such as files including imagefiles, documents, video files, etc. The storage medium may be a solidstate drive (SSD), hard disk drive (HDD) with a rotating magnetic diskor other non-volatile storage media. Further, the storage medium may bea block data storage device, which means that the user content data iswritten in blocks to the storage medium 105 and read in blocks from thestorage medium 105.

Command Set

In one example, storage medium 105 comprises a cryptography engine 106in the form of a dedicated and/or programmable integrated circuit thatencrypts data to be stored on storage medium 105 and decrypts data to beread from storage medium 105. In such examples, the storage medium mayprovide a Small Computer System Interface (SCSI) or Advanced TechnologyAttachment (ATA) command set according to the Opal specification by theTrusted Computing Group (TCG).

Program code stored on the cryptography engine 106 enables thecryptography engine 106 to receive, interpret and execute commandsreceived from host computer system 104. For example, cryptography engine106 may be configured to implement the standard ATA or serial ATA (SATA)and/or ATA Packet Interface (ATAPI) command set, which is available fromTechnical Committee T13 noting that identical functionalities can beimplemented within TCG Opal, SCSI and other proprietary architectures.The command set comprises a READ SECTORS command with a command input ofthe count of sectors and the starting sector (noting that “sector” isused synonymously with “block” herein). Accordingly, there is acorresponding write command. It is noted that there is a data storagedevice driver installed on host computer system 104. The data storagedevice driver (not shown) uses the command set to provide high-levelservices to the operating system, such as file read functionalities. Insome examples, the data storage device driver is a generic driversupplied as part of the operating system without support fordevice-specific encryption commands since the encryption functionalityis hidden from the host computer system 104 and handled internallywithin DSD 100 as described below. This means that no additional driversneed to be installed to use the full functionality disclosed herein.

The command set provided by the cryptography engine 106 to the data port103 (but not forwarded to host computer system 104) may include acommand set from the ATA SECURITY feature set. In particular, thecommand set may include the command SECURITY SET PASSWORD or acorresponding command from TCG Opal to set a password for reading andwriting user content data to the storage medium 105.

In this sense, cryptography engine 106 is connected between the dataport 103 and the storage medium 105 and is configured to use acryptographic key to encrypt user content data to be stored on thestorage medium 105 and to decrypt the encrypted user content data storedon the storage medium 105 in response to a request from the hostcomputer system 104. In some examples, the ATA SECURITY feature set isused only by data port 103 and not by host 104. That is, the accesscontroller 102 provides the necessary input for the data port 103 toissue the ATA SECURITY commands to the cryptography engine 106. Forexample, the access controller 102 may provide a key to the data port103, which the data port 103 then forwards to the cryptography engine106 via the SECURITY SET PASSWORD command. The interface between theaccess controller 102 and the data port 103 may be an Inter-IntegratedCircuit (I2C) bus, which is particularly useful in cases where this busis already implemented in existing chips. However, it is possible to usemany other communication architectures including bus, point-to-point,serial, parallel, memory based and other architectures.

Note that the separation of functionalities in dedicated chips as shownin FIG. 1 is only one possible example implementation. Therefore, it ispossible to combine functionalities or split the functionalitiesfurther. For example, data port 103 may be integrated with accesscontroller 102 into a single chip with a single core. In other cases,the data port 103 and the access controller 102 can be integrated withcryptography engine 106 into a single dedicated chip with a single core.Of course, all chips may have multiple cores.

In one example, the following components are used:

Data port 103: USB 3.1 Gen 2 10 gigabits per second (Gb/s) interface

Access controller 102: nRF52840 system-on-chip (SoC) from NordicSemiconductor

It is noted that for the functionality disclosed herein, the accesscontroller 102 plays the leading role and will be described in moredetail below, noting again that the tasks may be separated into separatechips in other examples. When reference is made to a ‘configuration’ ofthe access controller 102 or the access controller 102 being‘configured’ to perform a certain step, this is to be understood torelate to program code that is stored on non-volatile memory in the DSD100 on program memory (not shown for clarity) and executed by the accesscontroller 102.

In other examples, some or all steps disclosed herein may be performedby hardware circuitry without program code. In particular, encryptionprimitives may be implemented by dedicated hardware circuitry forperformance and security reasons. For example, commands that areparticularly computationally demanding, such as elliptic curvemultiplication or exponentiation, may be implemented by an ArithmeticLogic Unit (ALU) specifically designed for this calculation, such thatthe calculation can be performed in a single or a smaller number ofprocessor cycles compared to using a sequential program in a generalpurpose microcontroller. It is further noted that the chips included inDSD 100 are microcontrollers, which means in this context that they donot run under an operating system that provides a hardware abstractionlayer but the program code acts directly on the hardware circuit. Whileelliptic curve cryptography is used herein as examples for reasons ofcomputational efficiency and security, it is noted that other public-keycryptosystems, such as the Rivest-Shamir-Adelman (RSA) cryptosystem,could equally be used.

Returning back to FIG. 1, there are a number of devices in addition tohost computer system 104 that are external to the DSD 100 and that actin the process of unlocking the DSD 100 and providing a key to thecryptography engine 106 so that, ultimately, decrypted data in plaintext can be provided to host computer system 104.

In particular, there is a first manager device 110, which is a mobilephone in most examples. Installed on the manager device 110 is anapplication (app′) to perform the following steps. In this way, thefollowing steps can be implemented in software by the manufacturer ofthe DSD 100 and distributed to the manager device 110 through a commonlyaccessible app store, such as Apple's App Store or Google Play. The appinstalled on manager device 110 performs steps to take ownership of theDSD 100 at which point all data on the DSD 100 is erased or otherwisemade inaccessible. For example, data may be crypto-erased by securelydeleting all cryptographic keys stored on DSD 100.

For simplicity of presentation, this disclosure describes steps assimply being performed by manager device 110 if they are implemented bythe app. The manager device 110 sets up the DSD 100, which means thevarious different keys are generated to support the process disclosedherein. Manager device 110 registers a user device 111 with the DSD, sothat the user device 111 is then referred to as the “authorized device”111. In most examples, the authorized device 111 is also a mobile phonewith an app installed that implements the steps described as beingperformed by the authorized device 111. However, other types of devicescan be used as authorized devices, which will be explained below inrelation to beacons and key fobs.

Taking Ownership

The first step in using DSD 100 after purchase, unpacking and power-upis to install the app on manager device 110 and register a device as themanager device 110. For this process, the manager device 110 obtains aunique identifier of the DSD from the DSD. This unique identifier isreferred to as the identity key (IDK). In the example illustrated inFIG. 1, the identity key is encoded in a quick response (QR) code 112which is affixed to an external surface of the DSD 100. The appinstalled on manager device 110 has access to a camera and has asoftware module that extracts the encoded information from an image ofthe QR code 112. The manager device 110 captures an image of the QR code112 using the camera, and decodes the identity key of DSD 100 from theQR code. In one example, the QR code encodes a Uniform Resource Locator(URL). In that case, a generic app can capture the QR code, which thenautomatically directs the phone to an application store where the appcan be downloaded. The URL also includes the identity key so that theapp can decode that identifier once the app is installed.

In another example, manager device 110 may read another tag or NFC chipaffixed to or integrated with DSD 100 to obtain the identity key. Usingthat identity key, the manager device 110 can then initiate acommunication, such as wirelessly (e.g., over Bluetooth), with the DSD100 and in particular, with the access controller 102.

Recovery Key

Upon taking ownership of the DSD 100, the access controller 102generates a recovery key and provides the recovery key to the managerdevice 110. The recovery key can then be stored on a secure storage 113or printed and locked away. Ultimately, the recovery key can be used bya backup manager device 114 to assume the manager role that the managerdevice 110 previously had.

Registration of Authorized Device

Once the DSD 100 is initially configured during the take ownershipprocess, manager device 110 registers the authorized device 111.Typically, there may be multiple authorized devices registered with asingle DSD 100 so manager device 110 registers the authorized device asone of multiple authorized devices. More particularly, access controller102 receives from the manager device 110 a public key associated with aprivate key stored on user device 111. The manager device 110 itself mayhave received the public key from the user device 111 via email, byscanning a QR code displayed on the user device 111 or any other way. Atthis point in time, device 111 is not yet authorized and therefore,simply referred to as “user device 111”. Once user device 111 isauthorized, it is referred to as “authorized device 111”. Accesscontroller 102 creates authorization data that indicates that userdevice 111 is an authorized device (as described below) and stores theauthorization data associated with the public key on the configurationmemory 115 to register the user device 111 as one of the multipleauthorized devices. This means keys and other data associated withauthorized device 111 are created and stored as described below. A usercan then use the authorized device 111 to unlock the DSD 100 simply bybringing the authorized device 111 into wireless communication range,such as within Bluetooth range. Again, the steps performed by authorizeddevice 111 are encoded in an app installed on authorized device 111.Depending on configuration parameters, the user may be required tounlock authorized device 111 before DSD 100 can be unlocked.

More particularly, access controller 102 has access to a non-volatileconfiguration data store, such as configuration memory 115, which may bea flash memory that is external to the access controller 102 (but mayequally be integrated into access controller 102). Configuration memory115 may also store the program code that implements the steps describedherein as being executed by access controller 102. It is noted that someexamples herein are configured under the assumption that an attacker canreadily unsolder and read out the content of the configuration memory115 but should not be able to decrypt the user content data with thatinformation. That is, in those examples, no keys are stored persistentlyin plain text on configuration memory 115 or elsewhere in DSD 100 onnon-volatile memory.

Once the cryptographic keys are available in plain text, they are storedonly in volatile memory (not shown). This means that a power-down of theDSD 100 erases all cryptographic keys stored in plain text. Additionalcircuitry may be provided to reset all remaining charges on power-down,power-up or external reset, so that it is physically impossible inpractice to recover any information from volatile memory. In many cases,power-down and erasure of all volatile memory occurs as a result of theuser disconnecting the USB cable from the host computer system 104. Inother examples, a secondary power supply is used which needs to bedisconnected to power down the DSD 100 to delete the volatile memory.

Challenge-Response

Configuration memory 115 has stored thereon data that is specific forthe registered authorized device 111. This data may be referred to as anidentifier of the authorized device 111 or as a public key associatedwith a corresponding private key stored on the authorized device 111.The public key may be a “transport public key” (TPK) and is generated bythe authorized device 111 on first launch of the app by executing anelliptic curve cryptography (ECC) primitive ECC-Pub({transport privatekey}). (Recall that while elliptic curve cryptography is used herein asexamples for reasons of computational efficiency and security, it isnoted that other cryptographic techniques could equally be used.) Thecorresponding private key is stored on authorized device 111. The accesscontroller 102 is configured to use the identifier (e.g., transportpublic key) or generate and store a further public key, to generate achallenge for the authorized device 111. It is noted here that thechallenge is unique in the sense that each challenge is different, sothat a subsequent challenge is different from any previous challenges.As described below, this is achieved by multiplying the stored data by arandom blinding factor. Then, the access controller 102 sends thechallenge to the authorized device 111 over a communication channel thatis different from the data path. For example, the data path may includea wire-based USB connection while the communication channel between theaccess controller 102 and the authorized device 111 is a wireless (e.g.,Bluetooth) connection.

In one example, a re-enrolment process takes place responsive to theauthorized device connecting with the DSD 100 for the first time afterthe authorization data was created and stored on configuration memory115 associated with the public key of the authorized device 111 receivedfrom the manager device 110. During the re-enrolment process, DSD 100updates the authorization data and as set out below may requestauthorized device 111 to generate an unlocking public key (and acorresponding unlocking private key) in addition to the transport publickey. The authorized device 111 then provides the unlocking public key tothe access controller 102.

This has the advantage that the two corresponding private keys(transport private key and unlocking private key) can be storedseparately on the authorized device and both keys can have differentaccess policies. For example, transport public key may be accessible atany time, even if the authorized device 111 is locked (e.g., by a screenlock or time out), so as to allow continuous communication betweenauthorized device 111 and DSD 100. To unlock DSD 100, however, theaccess policy of the unlocking private key may require that the userunlocks authorized device 111, enters a personal identification number(PIN), provides biometric or other authentication. This way, DSD 100cannot be unlocked by a stolen authorized device. Since unlocking DSD100 is performed only once while DSD 100 is powered, the increasedsecurity does not significantly reduce user convenience.

The authorized device 111 can calculate a response to the challenge thatcannot be calculated by any other device that is not registered with theDSD. More specifically, the correct response cannot be calculated by adevice that does not have access to data that corresponds to theidentifier stored on configuration memory 115. For example, authorizeddevice 111 uses the stored unlocking private key that is associated withthe corresponding unlocking public key stored on configuration memory115, to calculate the response to the challenge.

The access controller 102 receives the response to the challenge fromthe authorized device 111 over the communication channel. It is notedhere that if the access controller 102 simply validates the response tothe challenge and upon success, reads the cryptographic key fromconfiguration memory 115, the cryptographic key would be stored in plaintext, which is undesirable since this would enable an attacker todisassemble the DSD 100 and read the key from configuration memory 115to access the user content data stored on storage medium 105.

Calculate Key

So, instead, access controller 102 calculates the cryptographic keybased at least partly on the response from the authorized device 111.This means the cryptographic key is not a pure function of the responsebut involves other values as described in more detail below. In summary,the cryptographic key is stored in encrypted form on configurationmemory 115 and the response, which is based on the private key stored onthe authorized device, enables the calculation of the secret thatdecrypts the cryptographic key.

Throughout this disclosure, reference may be made to ‘wrapping’ of keys,which simply means that the key is encrypted by another key (i.e., bythe “secret”). In many cases of ‘wrapping’ the encryption is symmetricsuch that a single secret (key) exists that can decrypt the encryptedkey (without a public key associated with the secret). In one example,symmetric encryption uses the Advanced Encryption Standard (AES)primitive.

Finally, access controller 102 provides the cryptographic key to thecryptography engine 106 (via data port 103 in this example) to decryptthe encrypted user content data stored on the storage medium 105 of theDSD 100. As mentioned above, once the access controller 102 hascalculated the cryptographic key, the access controller 102 provides thecryptographic key to the data port 103 in plain text and the data port103 issues the SECURITY SET PASSWORD command to the cryptography engine106 including the cryptographic key.

It is noted that where reference is made to ‘unlocking’ the device, thiscan refer to the entire process described above including the challenge,the response to the challenge and sending of the cryptographic key tothe cryptography engine 106 to allow plain text read commands issued bythe host computer system. In other examples, the challenge and theresponse to the challenge are considered as being part of a separate‘connect’ step. During the following ‘unlocking’ step the accesscontroller 102 then sends the cryptographic key to the data port 103 toallow access to the user content data.

It is noted, as an aside, that it may be possible for an attacker toeavesdrop on the key transmission from the access controller 102 to thedata port 103 and then to the cryptography engine 106. However, thetransmission of the key is not over a public network, so thiseavesdropping would require gaining access to and disassembling theunlocked DSD without removing power from the DSD 100. This scenario maybe discarded as a threat since in this scenario the user content data isavailable anyway on host computer system 104. In other words, while theDSD 100 is connected and unlocked, data is available to the rightfuluser and the attacker. But once the user disconnects the DSD from hostcomputer system 104, this eavesdrop attack is not possible anymore.Therefore, this attack is not further considered.

For completeness it is noted that once the cryptography engine 106 hasreceived the cryptographic key, the host computer system 104 can issueordinary READ SEGMENT commands and transparently access the encrypteddata without any perceivable difference to accessing an unencrypteddevice. This is particularly the case where the cryptography engine hashardware cryptography modules to enable encryption and decryption at orabove the read and write speed of the storage medium 105 and/or the dataport 103. However, the user can disconnect the DSD 100 to lock it. Thisway, the DSD 100 can be carried by the user through insecure locationswhere the DSD 100 can be lost or stolen, but it is very difficult foranother person to decrypt the encrypted user content data stored onstorage medium 105. If the user maintains possession of the DSD, theuser can connect it to a second host computer system 116, convenientlyunlock the DSD 100 with his authorized device 111 (e.g., phone) andreadily access the encrypted user content data stored on the storagemedium 105.

For user convenience, the data port 103 can be configured such that ifthe DSD is locked, it registers with host computer system 104 as a massdata storage device with storage medium not present, similar to an SSDcard reader with no card inserted. Once the authorized device 111 isconnected to DSD 100 and the DSD 100 is unlocked, data port 103 switchesto storage medium present, similar to a card reader that had an SSD cardinserted. Such a configuration would avoid any warnings from beinggenerated by the operating system of the host computer system 104 aboutthe data not being accessible or access being denied. Instead, all userinteraction would be performed by the app installed on the authorizeddevice, which is fully controlled by the manufacturer of the DSD, souser experience can be optimized. As shown in FIG. 1, there may befurther mobile phones acting as authorized devices 117 and 118.

Beacons and Key Fobs

Considering FIG. 1 again, it can be seen that there are further devices,such as beacons 120 and key fob 121. These devices can also beconsidered as “authorized devices” since they can operate essentiallythe same as the authorized device 111. Before initial registration bythe manager device 110, these devices are referred to as “device to beauthorized”. When reference is made to a “user device” herein (mainlydescribing mobile phone 111 before initial registration), this alsoapplies to the beacons 120 and key fob 121 except when noted otherwise,such as in cases where user input is required. Beacons 120 and key fob121 also have their own private key stored securely so that they canrespond to a challenge that is specific for one beacon or key fob.However, since the beacons 120 and key fob 121 have no user input, theinitiation of communication may be slightly different. Moreparticularly, beacon 120 and key fob 121 may periodically sendadvertisements to broadcast their existence and the DSD 100 theninitiates the communication with beacon 120 and/or key fob 121, whichprompts them to send their transport public key. This is in contrast tothe authorized device 111, which sends the transport public key to theDSD 100 to initiate the communication.

In further examples, beacons 120 are in a de-activated state when theyare powered up and need to be activated by a manager device 110 or anauthorized device 111. This activation may follow a similar process asunlocking DSD 100. That is, manager device 110 or authorized device 111or both are registered with each beacon 120 with their transport publickeys and respond to a challenge as described herein. Thus, a device maybe registered as a manager device or an authorized device with one ofthe beacons 102 and/or key fob 121 without being registered with the DSD100 itself. If the response to the challenge is valid, beacons 120 thenunlock DSD 100. In yet a further example, beacons 120 are registeredwith each other, such that manager device 110 and/or authorized device111 need to activate only one of the beacons 120 and the remainingbeacons become activated automatically. In other words, the activation‘spreads’ through the beacon network as long as the beacons are in rangeof each other.

It is noted that the only piece of information that the authorizeddevices 111, 117, 118, 120 and 121 provide to the manager device 110 tobecome registered is one public key for each device. In other words,each device provides its own public key corresponding to a private keythat is securely stored on that device. Therefore, if an attackerintercepts the initial communication between one of the devices 111,117, 118, 120 and 121 and the manager device 110, the only informationthat the attacker can obtain is the public key. As the name suggests,the public key is not secret and can be generally known. Therefore, theattacker has not gained any advantage. Further, the manager device 110cannot use the public key to gain access to anything else related to theauthorized devices. For example, the manager device cannot decrypt orunlock any other data storage devices with which the authorized devicehas been registered by other manager devices.

The access controller 102 receives the public keys of the authorizeddevices from the manager device 110 and generates authorization data.Access controller 102 stores the authorization data on configurationmemory 115 waiting for the authorized device to connect for the firsttime. On the first connection, access controller 102 performs achallenge-response for the authorized device and upon success, updatesthe authorization data to indicate that the authorized device is nowfully registered. This first connection process is referred to as“re-enrolment” herein and details of generating the authorization dataand the re-enrolment are provided below.

Elliptic Curve Cryptography

In one example, the challenge generated by the DSD 100 and sent to theauthorized device 111 is based on elliptic curve cryptography. This hasthe advantages of shorter keys, which leads to more efficientcommunication and storage. Further, a large number of phones currentlyon the market provide dedicated functionality of elliptic curvecryptography within a secure hardware module. The secure hardware modulesecurely stores the user's private keys and performs cryptographicprimitives within the secure hardware module without the key leaving thesecure hardware module and being sent to a general purpose processorcore where the key may be subject to an attack for unauthorizedretrieval. In one embodiment, the secure hardware module includes aseparate processor that executes its own microkernel, which is notdirectly accessible by the operating system or any programs running onthe phone. The secure hardware module can also include non-volatilestorage, which is used to store 256-bit elliptic curve private keys. Inone embodiment, the secure hardware module is a Secure Enclavecoprocessor that is available on some Apple devices.

Authorized Device Data Record

FIG. 2 illustrates a section of configuration memory 115, according toan embodiment. More specifically, FIG. 2 illustrates one record 201, inconfiguration memory 115, which is associated with one of multipleauthorized devices and referred to herein as “authorization data”.Further data records for further authorized devices are schematicallyindicated as empty dashed boxes but not considered in detail as theyoperate in a similar manner to record 201. In particular, each furtherdata record comprises authorization data generated by the accesscontroller 102 in response to receiving a public key of a user devicefrom the manager device 110 and then updated during the first connectionof the user device (then “authorized device”). For convenience, the datastructure of configuration memory 115 is referred to as a ‘table’comprising one or more ‘records’, where each record relates to oneregistered authorized device and each record has multiple fields. It isnoted, however, that other data structures can be used, such asJavaScript Object Notation (JSON), Extensible Markup Language (XML),binary formats, etc. In one example, each entry has a fixed length andthe table has a fixed number of rows (i.e., entries). Within thisdisclosure, a ‘record’ may also be known as a ‘row’ or ‘entry’.

Record 201 comprises a field for a pre-authorization key 202, which isused responsive to the authorized device 111 connecting to the DSD 100for the first time. During this first connection, access controller 102performs a number of steps that are referred to as “re-enrolment” asdescribed below in more detail. The pre-authorization key 202 isgenerated from the identifier (e.g., the transport public key) of theauthorized device 111. For example, access controller 102 may generatethe pre-authorization key 202 by applying a key derivation functionusing the x-coordinate of the transport public key as an input parametertogether with an authorized device slot key as salt value to thederivation function. The authorized device slot key may be apseudo-random number (e.g., 16-bytes) stored on configuration memory 115and can be used to encrypt data in authorized device certificates sothat only the issuing DSD 100 can recover the information.

At that point, it can be said that the records stored on theconfiguration memory 115 are indexed by preauthorization key 202 basedon an identifier of the authorized device (e.g., the transport publickey). As described below with reference to FIG. 4, the index of record201 may be stored in a certificate, as a slot number, duringre-enrolment and at that point the pre-authorization key 202 can bereplaced by a random value to make the configured DSD indistinguishablefrom a new device from the factory even with possession of the transportpublic key.

Record 201 further comprises a field for a first copy of a metadatawrapping key (MWK) 203 and a pre-authorization metadata wrapping key(PMWK) 214. Some fields in record 201 are encrypted which is indicatedby double-lined boxes, where the single solid line boxes, inside thedouble-lined boxes, indicate the ‘payload’ such as the metadata wrappingkey 203 and the pre-authorization metadata wrapping key 214. Thecorresponding encryption key, used to encrypt the payload, is noted atthe bottom of the double-lined box. So, for example, metadata wrappingkey 203 is encrypted by an authorized device metadata key (ADMK) 204. Itshould be noted that each encryption box may comprise an additionalnonce that is concatenated with the payload data. This guarantees thatthe encrypted entry cannot be distinguished from random data even withthe possession of the encrypted data, such as the transport public keyof the authorized device.

Record 201 further comprises a field for authorized device metadata(ADM) 205, which is a concatenation of a device type 206 (e.g., recoverykey, key fob, beacon, phone, computer, watch, etc.), a role of thedevice 207 (“manager” or “user”), a name of the device 208 (e.g.,“John's phone”), a transport public key 209, unlocking key metadata 210(e.g., key restrictions of whether fingerprint, pin or no unlock isrequired), an ephemeral public key 211, and an unlocking public key 212.In one embodiment, the ephemeral public key 211 is an elliptic curvepublic key generated from a random ephemeral private key (EPK) using anElliptic Curve Cryptography (ECC) primitive ECC-Pub(EUK). The ephemeralprivate key is not stored on configuration memory 115 or on theauthorized device 111 but is discarded after creating the ephemeralpublic key. This means that the ephemeral private key is not stored onnon-volatile memory but only on volatile memory. As result, a power-downof the memory leads to complete and irrecoverable loss (e.g.,destruction) of the ephemeral private key. The unlocking public key 212corresponds to an unlocking private key stored on authorized device 111and is generated by authorized device 111 and provided to the accesscontroller 102.

The authorized device metadata (concatenated with a further nonce) isencrypted by the metadata wrapping key (MWK) 213 that is also stored inencrypted form at 203. The main purpose of storing the encryptedmetadata wrapping key 203 in entry 201 is to allow a manager user, whohas access to the authorized device metadata key 204, to access theencrypted authorized device metadata 205. If the metadata wrapping keywas not accessible to the manager, the manager would not be able toretrieve from the DSD 100 any information about which authorized devicesare currently registered. In one example, the authorized device metadatakey 204 is a single key for all authorized devices and is storedencrypted by a manager key. The manager key may be a pseudo-random value(e.g., 32 bytes) and generated by access controller 102 responsive tostorage medium 105 being erased. The manager key is encrypted and storedfor each paired manager device 110/114.

Record 201 further comprises a field for a second copy of device's role220 concatenated with a user key 221 and a second copy of the metadatawrapping key 222. It is noted that both role 207/220 and metadatawrapping key 203/222 are stored in two copies, which are identical butencrypted using different keys. The purpose of storing two copies of therole 207/220 is to enable the access controller 102 to verify the roleduring connection (responsive to the authorized device metadata beingdecrypted) as well as during unlocking (responsive to the user key 221being decrypted). The purpose of storing the first copy of the metadatawrapping key 203 is to provide it to a manager device having access tothe authorized device metadata key. The purpose of the second copy ofthe metadata wrapping key 222 is to provide it to a pre-authorizeddevice during the first connection. The concatenated values 220, 221,222 together are encrypted by an ephemeral unlock secret (EUS) 223 thatis originally generated by a Diffie-Hellman method using the ephemeralprivate key corresponding to ephemeral public key 211 and the unlockingpublic key 212. The ephemeral unlock secret 223 can be recovered usingthe ephemeral public key 211 and an associated unlocking private keystored on the authorized device 111 and corresponding to unlockingpublic key 212. In other words, the ephemeral unlock secret 223 can begenerated at the initial connection of the authorized device 111 to theDSD 100 using the ephemeral private key and the unlocking public key212. It is noted that the ephemeral private key itself is not stored butnevertheless, the ephemeral unlock secret 223 can be recovered asdescribed above. This means, the user key 221 is decryptable based onthe response from the authorized device. It is noted that the user key221 is identical for all authorized devices and can be used to decryptuser content data. This does not necessarily mean that the user keyitself decrypts the user content data. There may be further keys thatthe user key decrypts and the final key decrypts the user content data.The terms “using a key to decrypt user content data” and “enabledecryption of the user content data” refer to indirect encryption viamultiple keys in a chain. In contrast “the key decrypts the data” refersto direct decryption of the data with the key, such as modulomultiplication of the encrypted data by the key. Here, the user key 221is used to decrypt the data indirectly and may be the starting point ofa chain of keys that are decrypted sequentially until finally, the chainends at the key that decrypts the user content data. While in mostexamples disclosed herein, the ephemeral unlock secret 223 decrypts theuser key 221, it is also possible that the cryptographic key is derivedfrom the response to the challenge in other ways. For example, theresponse to the challenge may directly be used as the cryptographic keythat decrypts the user content data.

This allocation of keys and metadata enables a configuration where theentire configuration information about authorized devices, managerdevices, and other aspects is stored on the DSD 100 itself. However, theauthorized devices require a key stored on the respective authorizeddevice to unlock the DSD 100. If an unregistered user without access toany keys wants to access the entire configuration of the device, such asretrieve a list of registered devices, the unregistered user would needonly the recovery key to become registered as a manager device and gainaccess to the manager key. The DSD 100 can then provide the entirecontents of configuration memory 115 to the new manager device using themanager key. Further, there can be two manager devices and both canregister or remove authorized devices. The other manager device would beable to obtain configuration updates by synchronizing its own recordswith the data stored on configuration memory 115. In some examples, theDSD 100 is configured to erase records 201 of all authorized devices(but not delete the user content data or the user key 221, which may bestored as another copy in encrypted form on configuration memory 115separate from entry 201 and other entries) if the recovery key is usedto gain access but that is a policy decision.

FIG. 3 illustrates the control flow 300 between an authorized device 111and an access controller 102, according to an embodiment. First, theauthorized device 111 initiates a connect method by sending 301 itstransport public key. This step can be easily re-played by an attacker.Access controller 102 then replies 302 with a request for a certificateand in response to this request, authorized device 111 sends 303 acertificate previously obtained from the access controller 102 throughthe re-enrolment process.

Certificate

FIG. 4 illustrates a certificate 400 issued by the data storage device100 and sent by the authorized device 111 to the data storage device tounlock the data storage device, according to an embodiment. In thisexample, the certificate 400 comprises multiple type-length-value (TLV)fields, where the type value indicates the kind of field that is part ofthe certificate, length is the size of the value field (typically inbytes), and value is a variable-sized series of bytes which containsdata for this part of the certificate.

Certificate 400 begins with a TLV atom that indicates the type ofcertificate that follows. This is referred to as the certificate role401 and has a 2 byte value to indicate that this is an authorized devicecertificate.

Certificate 400 belongs to a certificate chain. Access controller 102uses the chain to validate and authenticate certificate 400. To indicatewhich chain certificate 400 belongs to, certificate 400 has a 4 byteroot certificate identifier (ID) 402. The certificate identifier of eachcertificate in the certificate chain is the same. Certificateidentifiers that do not match indicate an invalid certificate. In oneexample, a root certificate identifier indicates whether the certificatechain is a production or a development certification chain. In otherexamples, other groups may be indicated by respective certificateidentifiers.

Certificate 400 further comprises a 1 byte indicator of certificatedepth 403. A certificate's depth is defined as its distance from theroot certificate within its certificate chain. The root certificate isdefined to have a depth of zero. As a given certificate chain isprocessed the depth fields are validated to ensure integrity of thechain.

Certificate 400 also comprises a 64 byte certificate transport publickey 404 (e.g., according to the National Institute of Standards andTechnology (NIST) P-256 elliptic curve). Each certificate isdenoted/indexed via a transport public key. Each type of public key willhave its own dedicated tag type. That is, the tag type will denote thecipher suite used to generate the transport public key, such as theP-256 cipher suite.

Certificate 400 further comprises a data field 405 (explained below) andis authenticated via a signature 406. Access controller 102 receivescertificate 400 and validates the signature before trusting or using anyof the certificate's contents. To enable signature validation, the 64byte signer public key 407 is provided as part of the certificate. Thesignature 406 itself is 64 bytes in length and computed over all priorTLVs 401-405, 407 encountered within the certificate, regardless if theyare recognized by the implementation or not. More particularly, thesignature 406 is derived from a hash of the certificate data. Thespecific data that is signed is certificate dependent, but contains allTLVs used to represent the certificate, including TLVs that are notrecognized. The key used to generate the signature is a logical identitykey and is associated with signer public key 407.

Data field 405 comprises the slot number 410, which denotes the index ofthe record 201 within configuration memory 115. Data field 405 alsocomprises a further copy of the metadata wrapping key 411 (in additionto the two copies shown in FIG. 2). The data field 405 is encrypted withthe authorized device slot key (ADSK) 412, which is a 16 byte pseudorandom value stored in configuration memory 115 and is used to encryptdata in authorized device certificates so that only the issuing DSD 100can recover the information.

Unlocking the Data Storage Device

Returning to FIG. 3, if the authorized device 111 wishes to unlock theDSD 100, the authorized device 111 sends 303 the certificate 400, whichincludes the encrypted metadata wrapping key (MWK) 213/411 to accesscontroller 102. The certificate 400 also includes the slot number 410,which is an index of the record 201 in configuration memory 115.

Access controller 102 uses the authorized device slot key stored inconfiguration memory 115 to decrypt 304 data field 405, and extract theslot number and metadata wrapping key. Access controller 102 thenqueries configuration memory 115 to read 305 the appropriate record 201from configuration memory 115 and decrypts 306 the authorized devicemetadata 205 using the metadata wrapping key. This yields the ephemeralpublic key 211, which may also be referred to as an identifier of theauthorized device because it uniquely identifies the authorized devicesince the ephemeral public key 211 is cryptographically associated withan unlocking private key stored only on authorized device 111. Accesscontroller 102 may perform additional checks 307, such as validate thatthe transport public key 209 included in the authorized device metadata205 matches the transport public key 404 presented in the certificate400. Further, access controller 102 validates the role 401 against thevalid set of values, and associates the role with the connection. Thismeans that access controller 102 is aware of the current role (“user” or“manager”) during the duration of connection. For example, accesscontroller 102 stores a parameter value on volatile memory thatindicates the role 401 provided in the certificate. If any of thepreceding checks fail, the authorized device is deemed to be revoked andan error to that effect is issued. Otherwise, the connection attemptsucceeds and the access controller 102 sends 308 a connectedconfirmation message to the authorized device 111.

At this stage, the authorized device 111 is connected and the unlockprocess begins 319 by the authorized device 111 sending 320 an unlockrequest to access controller 102. The unlock request includes theunlocking public key associated with the private unlocking key stored onthe authorized device's secure hardware module. Access controller 102matches 321 the received unlocking public key against the unlockingpublic key 212 stored in the authorized device metadata record 205.Next, access controller 102 generates 322 a new blinding value (alsoreferred to as unlock blinding key (UBK)), which essentially is anephemeral private scalar and is generated randomly.

Access controller 102 then generates the challenge based on theidentifier of the authorized device (e.g., ephemeral public key 211)multiplied by the unlock blinding key (UBK). More particularly, accesscontroller 102 multiplies 323 the ephemeral public key 211 by the unlockblinding key, returning the full X and Y coordinates of the result,noting that this operation is performed on an elliptic curve. Accesscontroller 102 then sends 324 the X and Y coordinates to the authorizeddevice 111 as the challenge. It is noted here that this challenge isbased on the identifier of the authorized device 111 because theephemeral public key is one factor of the multiplication resulting inthe challenge. It is further noted that for each unlock request (i.e.,320) a different unlock blinding key is generated to avoidman-in-the-middle attacks.

Further, access controller 102 computes 325 the inverse of the unlockblinding key (UBK⁻¹). The access controller 102 can compute the inverseof the unlock blinding key while waiting for a response from theauthorized device 111.

The authorized device 111 calculates a response to the challenge bymultiplying 326 the challenge with the unlocking private key, which isstored in the authorized device's secure hardware module and whichcorresponds to unlocking public key 212 stored on configuration memory115. This may involve the execution of a cryptographic primitive thatcan be executed entirely within the secure hardware module within theauthorized device 111. Authorized device 111 then sends back 327 theresult in a response message. Access controller 102 multiplies 328 thereturned result with the inverse of the unlock blinding key to computethe ephemeral unlock secret (EUS) 223.

In mathematical notation, P represents the ephemeral public key, and krepresents the unlock blinding key created at step 322 in FIG. 3. Accesscontroller 102 calculates 323 the product k*P and sends 324 it to theauthorized device 111. The authorized device 111 multiplies 326 thechallenge with the unlocking private key j to calculate j*k*P andreturns 327 the result to access controller 102. The access controller102 multiplies 238 this response with the inverse of the unlock blindingkey k⁻¹ to calculatek⁻¹*j*k*Pwhich is equal to j*P due to commutative nature of elliptic curves(i.e., k⁻¹*j*k*P=k*k⁻¹*j*P=j*P).Access controller 102 then uses j*P as the ephemeral unlock secret(i.e., key) to decrypt 329 user key 221. That is, access controller 102uses the ephemeral unlock secret to decrypt the user key 221, stored onthe DSD 100, which is encrypted with the ephemeral unlock secret. Moreparticularly, access controller 102 decrypts 329 the user key, whichthen decrypts 330 a “user drive key”, which is then, finally, sent 331to cryptography engine 106 via TCG commands. That is, the user drive keymay be generated by access controller 102 using a key derivationfunction based on the user key. The user drive key is the TCG credentialused to unlock the DSD 100 and may be equated to the “cryptographic key”described herein. In the case of Opal, this is the User2 credential.

It is noted that the ephemeral unlock secret is generated during there-enrolment process by deriving a symmetric key from the result of anElliptic Curve Diffie-Hellman process using the unlocking private keystored on the authorized device 111 and the unlocking public key 212.The resulting key is used to encrypt the user key 221 but not stored inDSD 100. Instead, it is re-generated each time an authorized devicerequests to unlock the DSD 100, as described above.

In a further example, the unlocking private key j, in the equationsabove, can be replaced by a product of the unlocking private key with avalue derived from a passphrase. The unlocking private key would stillbe stored in the secure hardware module of the authorized device but theunlocking private key alone would not be able to decrypt the usercontent data stored on the DSD 100. Instead, the user needs to enter thepassphrase to calculate the response to the challenge and send 327 thatresponse. This would simply replace j above with the product of j withthe passphrase value. The DSD would be oblivious of that change becausethe ephemeral unlock secret 223 would be generated in the same way asabove from the view of the access controller 102.

Registration and Re-Enrolment

It is noted that the data record 201 shown in FIG. 2 is shown after theauthorized device 111 has completed the re-enrolment process and isallowed to decrypt the encrypted user content data. Again, there arethree steps overall: First, the manager device 110 registers a userdevice 111 once as one of multiple authorized devices. Second, theauthorized device 111, on first connection with the access controller102, re-enrols once to complete the generation of the involved keys.Third, the authorized device 111 subsequently connects with the accesscontroller 102 to unlock the DSD 100. This third step can occur multipletimes.

During the (initial) registration step initiated by the manager device110, access controller 102 receives from the manager device 110 a publickey corresponding to a private key stored on the user device 111. Inresponse, access controller 102 creates authorization data, which issimilar to the data record 201 in FIG. 2 with the exception that theunlocking public key 212 field holds the transport public key 209 (asreceived from the manager device 110) because the unlocking public keyhas not yet been generated. Access controller 102 generates thepre-authorization key 202 that is essentially an index to locate therecord 201. The pre-authorization key is generated by a key generationfunction using the x coordinate of the received transport public key 209and a salt value. The salt value may be an authorized device slot key,which may be a 16-bytes pseudo-random value generated during the “takeownership” process, stored on the configuration memory 115, and notshared with the authorized device. This way the salt can be differentafter each “factory reset”, such as each time a manager device takesownership of the DSD 100.

Creating the authorization data stored in record 201 further comprisesgenerating the metadata wrapping key 222, such as by generating a16-bytes pseudo-random value. Access controller 102 stores the metadatawrapping key in field 222. Further, access controller 102 generates theephemeral unlock secret 223 and encrypts the role 220 (“user” or“manager”), user key 221 and the new metadata wrapping key 222 with theephemeral unlock secret 223. Then access controller 102 generates anephemeral public key 211 from the ephemeral unlock secret 223 anddiscards ephemeral unlock secret 223.

Recall that during the (initial) registration step initiated by themanager device 110, access controller 102 creates authorization data,which is similar to the data record 201 in FIG. 2. In contrast to FIG.2, the authorized device metadata 205 is not encrypted by the newmetadata wrapping key but by a pre-authorized metadata wrapping keybecause the actual metadata wrapping key 222 is not yet available to theauthorized device 111. The pre-authorized metadata wrapping key may beidentical to the pre-authorization key 202 at this stage or generatedseparately. It is noted that the pre-authorized metadata wrapping key,which now encrypts the authorized device metadata 205 can be generatedonly by the access controller 102 and not provided by the authorizeddevice 111 because the authorized device 111 does not have access to theauthorized device slot key that is used to generate the pre-authorizedmetadata wrapping key.

So, responsive to the authorized device 111 first connecting with theaccess controller 102, authorized device 111 sends its transport publickey to access controller 102. Access controller 102 uses the transportpublic key and the stored authorized device slot key to generate thepre-authorization key 202. Access controller 102 can then search for thepre-authorization key 202 in the configuration memory 115 to retrieverecord 201. Access controller 102 can also use the pre-authorization keyas the pre-authorization metadata wrapping key to decrypt the authorizeddevice metadata 205.

As described above, access controller 102 generates a challenge usingthe ephemeral public key 211 and an unlock blinding key. Accesscontroller 102 then creates the ephemeral unlock secret 223 from theresponse. It is noted that only the authorized device 111 with theprivate key corresponding to transport public key 209 can create a validresponse. This means that even if an attacker disassembles theconfiguration memory 115 and reads the authorized device slot key togenerate the pre-authorization metadata wrapping key to decrypt theephemeral public key 211, the attacker would still not be able togenerate the ephemeral unlock secret 223.

Access controller 102 validates the response by checking that theresponse works as ephemeral unlock secret 223 and in response, updatesthe authorization data in record 201. More particularly, accesscontroller 102 checks whether field 212 for the unlocking public key isidentical to the transport public key 209. In response to both beingidentical (as set out above), access controller 102 requests a newunlocking public key from authorized device 111 and stores the returnedkey as unlocking public key 212.

Access controller further decrypts the metadata wrapping key 222 thatwas generated during registration by the manager device 110. At thisstage, access controller 102 may re-generate the ephemeral unlock secret223, encrypt role 220, user key 221, and metadata wrapping key 222,re-generate and store the ephemeral public key 211 and discard theephemeral unlock secret 223. Finally, access controller encrypts theauthorized device metadata 205 with the metadata wrapping key 222 andoverwrites the pre-authorization key 202 with random values to make theconfiguration memory 115 indistinguishable from random data even withthe possession of the transport public key and/or the unlocking publickey. This concludes the update of the authorization data stored inrecord 201 and the registration process. As a result, the authorizeddevice 111, as one of multiple authorized devices, is now allowed todecrypt the encrypted user content data through the unlocking steps setout above.

The process described above, involving the creating and update ofauthorization data, enables the registration of multiple authorizeddevices using only their public keys during the first step ofregistration by the manager device 110. This way, no secret informationneeds to be shared that could potentially be intercepted and used formalicious unlocking of other devices of the user.

Multiple Roles

Returning to FIG. 2, configuration memory 115 stores multiple entries ofwhich only two are shown (first entry 201 and second entry 250). In mostcases, there is one entry per registered device. Each ‘registered’device may be a manager device 110 or authorized device 111, 117, 118,120, 121. There may be additional entries, such as for a recovery key(not shown).

First entry 201 is associated with authorized device 111, as explainedin detail above. It is noted again, that the first entry stores a userkey 221 that is encrypted by ephemeral unlock secret 223, which can becalculated from a response to a challenge using the ephemeral public keyECC-Pub(EUK) 211.

Second entry 250 is associated with manager device 110. Most fields insecond entry 250 have the same functionality as in first entry 201 andas described above. In summary, a pre-authorization key 252 enableslocating second entry 250 at the first connection of manager device 110with DSD 100, noting that manager device 110 may have been registered byanother manager device that initially performed the take ownershipprocess. This registration proceeds the same way as the registration ofan authorized device explained above (including the re-enrolment and theuse of certificates to provide the entry index and metadata wrappingkey). Again, a copy of the metadata wrapping key 253 and thepre-authorized metadata wrapping key 264 are stored encrypted by theauthorized device metadata key to enable manager access to authorizeddevice metadata 255, which is encrypted by the metadata wrapping key263. The metadata wrapping key 263 is provided in a certificate by themanager device 110 to decrypt the authorized device metadata 255, whichcomprises a device type 256 and role 257. The role 257 is now differentto the role 207 as role 257 holds a value indicating a manager role,whereas role 207 holds a value indicating a user role. It is noted thatthe metadata wrapping key 203/213/222 of first entry 201 is differentfrom metadata wrapping key 253/263/272 of second entry 250.

Again, similar to the first entry 201, authorized device metadata 255comprises a name 258, transport public key 259, unlocking key metadata260, ephemeral public key 261 and unlocking public key 262 of themanager device 110. These functions are similar to their counterparts infirst entry 201 and as described above. Manager device 110 also stores atransport private key and unlocking private key on a secure hardwaremodule. Further, access controller 102 generates a challenge based onthe ephemeral public key 261 and calculates, based on the response fromthe manager device 110, the ephemeral unlock secret 273, which decryptsa second copy of the role 270 and a second copy of the metadata wrappingkey 272. In contrast to the first entry 201, where the user key 221 isdecrypted, the ephemeral unlock secret 273 now decrypts the manager key271, which provides manager access.

In some examples, the user key 221 is directly derivable from themanager key 271, which means that the manager key is the only secretinformation that is required to calculate the user key. The derivationmay be one-way, which means the manager key cannot be derived from theuser key. The derivation may be based on a hash function, such as ahash-based message authentication code (HMAC) according to the requestfor comments (RFC) 5869 of the Internet Engineering Task Force (IETF)using Secure Hash Algorithm 2 (SHA-2) with 512 bits (see also NationalInstitute of Standards and Technology special publication (SP) 800-56C).It is noted that the manager key is identical for all manager deviceentries and consequently, the user key is also identical for allauthorized device entries.

Having a derivable user key also means that as soon as the manager key271 is available, the user key can always be calculated. As a result, inresponse to manager device 110 providing the correct response to thechallenge, access controller 102 can decrypt the user content data usingthe user key derived from the manager key 271 which was decrypted basedon the response. Therefore, manager device is said to be provided withmanager access, which comprises access to the user content data andaccess to the authorization data stored on configuration memory 115. Asa result, manager device 110 can request a list of registered devices,which can be provided by the access controller 102. Consequently,manager device 110 can store the list locally on manager device 110 anddisplay the list on a graphical user interface. The process ofretrieving all entries of registered devices may be supported by abitmap data object that comprises one bit for each possible data entry,such as 256 bits for 256 possible registered devices. Access controller102 sets the bit to ‘1’ in response to writing one of the multipleentries. This way, access controller 102 can determine which entries arevalid and does not attempt to decrypt invalid entries.

In contrast to manager device 110, authorized device 111 has no accessto manager key 271 but only access to user key 221, which does notenable decryption of other devices' metadata. Therefore, it is said thatthe reading of authorization data associated with other registereddevices is restricted for authorized devices (without access to themanager key 271).

It is noted here that each entry 201/250 and each further entry that isnot shown, comprises metadata that is encrypted by a different metadatawrapping key. Therefore, in response to providing manager access, accesscontroller 102 determines a separate metadata wrapping key for eachentry. More particularly, with the manager key 271 available, accesscontroller 102 calculates the authorized device metadata key 254 (whichis identical for all entries) and uses that key for decrypting eachentry-specific metadata wrapping key 203/253, which in turn, enablesaccess controller 102 to decrypt each authorized device metadata 255. Itis also noted that manager access does not allow decryption of the userkey 221 from the authorized device entries because calculating theephemeral unlock secret 223 requires the unlock secret key that is keptin the memory of each authorized device. However, the user key 221 isderivable from the manager key 271, so there is no benefit for themanager device 110 to decrypt the user key 221 from the authorizeddevice entry 201.

In summary, the entries 201 and 250 store either the user key 221 or themanager key 271 which enables the access controller to selectivelyprovide user access or manager access to the multiple registereddevices.

Method for Providing Access

FIG. 5 illustrates a method 500 for providing access to a data storagedevice, according to an embodiment. The method commences by the accesscontroller 102 storing 501, on configuration memory 115, the multipleentries 201/250 associated with multiple respective registered devices110/111. The multiple entries 201/250 comprise authorization data201/250 indicative of cryptographic keys 221/271 that selectivelyprovide user access or manager access for each of the multipleregistered devices 110/111. Access controller 102 connects 502 with oneof the multiple registered devices 110/111 and selects 503 one of themultiple entries that is associated with the connected registereddevice. Then, access controller 102 enables 504 use of one of thecryptographic keys of the selected one of the multiple entries toprovide user access or manager access for the one of the multipleregistered devices.

Registering the Data Storage Device

The data port 103 registers, with the host computer system 104, as ablock data storage device. For example, Universal Serial Bus (USB)devices provide information in the form of a USB device descriptor. TheUSB device descriptor contains relevant information about the device.Accordingly, in embodiments in which the data storage device isconnected to a host computer system via a USB connection, the datastorage device registers with the host computer system as a block datastorage device by configuring its USB device descriptor to indicate thatthe data storage device is a block data storage device.

The USB device descriptor provides structured information regarding theUSB device such as the class of device, protocols supported, type ofdevice, manufacturer and other configuration parameters. An operatingsystem of a host computer can obtain the USB device descriptor of thedata storage device by sending various standard control requests (e.g.,GET_DESCRIPTOR requests) to the data storage device. In response toreceiving these requests, the data storage device provides theUSB_DEVICE_DESCRIPTOR to the host computer system, thus registering thedata storage device with the host computer system as a block datastorage device. The host computer interprets the USB_DEVICE_DESCRIPTORto determine the configuration and capabilities of the data storagedevice. The host computer system may then store information regardingthe data storage device in the registers of the operating system of thehost computer system.

It will be appreciated by persons skilled in the art that numerousvariations and/or modifications may be made to the above-describedembodiments, without departing from the broad general scope of thepresent disclosure. The present embodiments are, therefore, to beconsidered in all respects as illustrative and not restrictive.

The invention claimed is:
 1. A method for providing access to a datastorage device from a host computer system, the method comprising:storing, on a data store in the data storage device, multipleauthorization data entries, wherein: each authorization data entry ofthe multiple authorization data entries is associated with a registereddevice of multiple registered devices; and the multiple authorizationdata entries comprise authorization data indicative of cryptographickeys that selectively provide user access or manager access for eachregistered device of the multiple registered devices; communicating witha requesting registered device of the multiple registered devices;selecting an authorization data entry that is associated with therequesting registered device; determining, using the authorization dataentry associated with the requesting registered device, a content datacryptographic key; and selectively providing user access or manageraccess for the requesting registered device to unlock encrypted usercontent data from the data storage device for the host computer system.2. A data storage device comprising: a data path comprising: a data portconfigured to transmit data between a host computer system and the datastorage device; a non-volatile storage medium configured to storeencrypted user content data; and a cryptography engine connected betweenthe data port and the storage medium and configured to use a contentdata cryptographic key to decrypt the encrypted user content data storedon the storage medium in response to a request from the host computersystem; and an access controller configured to: store, in a data store,multiple authorization data entries, wherein: each authorization dataentry of the multiple authorization data entries is associated with aregistered device of multiple registered devices; and the multipleauthorization data entries comprise authorization data indicative ofcryptographic keys that selectively provide user access or manageraccess for each registered device of the multiple registered devices;communicate with a requesting registered device of the multipleregistered devices; select the authorization data entry that isassociated with the requesting registered device; determine, using theauthorization data entry associated with the requesting registereddevice, the content data cryptographic key; and selectively provide useraccess or manager access for the requesting registered device to unlockencrypted user content data for the host computer system.
 3. The datastorage device of claim 2, wherein the user access: enables decryptionof the encrypted user content data; and restricts reading ofauthorization data associated with other registered devices.
 4. The datastorage device of claim 2, wherein the manager access: enablesdecryption of the encrypted user content data; and enables reading ofauthorization data associated with other registered devices.
 5. The datastorage device of claim 2, wherein each authorization data entrycomprises authorization data indicative of: a user key to provide useraccess to the content data cryptographic key; or a manager key toprovide manager access to the multiple authorization data entries. 6.The data storage device of claim 5, wherein each authorization dataentry comprises a key field configured to store authorization dataindicative of only one key of the user key and the manager key.
 7. Thedata storage device of claim 5, wherein the user key is derivablethrough a one-way function from the manager key.
 8. The data storagedevice of claim 7, wherein: the manager key is configured to enablereading of authorization data associated with other registered devices;and the user key, derivable from the manager key, is configured toenable decryption of the encrypted user content data.
 9. The datastorage device of claim 5, wherein the user key is identical formultiple authorization data entries that provide user access.
 10. Thedata storage device of claim 5, wherein the manager key is identical formultiple authorization data entries that provide manager access.
 11. Thedata storage device of claim 2, wherein: the authorization data of eachauthorization data entry of the multiple authorization data entries isencrypted based on a private key stored on an associated registereddevice of the multiple registered devices; and the associated registereddevice is associated with that authorization data entry.
 12. The datastorage device of claim 11, wherein the private key is different foreach registered device of the multiple registered devices.
 13. The datastorage device of claim 12, wherein: each authorization data entry thatprovides user access comprises encrypted metadata that is encrypted by ametadata encryption key; the metadata encryption key is based on theprivate key stored on each registered device of the multiple registereddevices and is different for each authorization data entry; and themetadata encryption key is stored in that authorization data entryencrypted based on a manager key to provide access to the encryptedmetadata in response to obtaining the manager key.
 14. The data storagedevice of claim 2, wherein the access controller is further configuredto: generate a challenge for the requesting registered device of themultiple registered devices; send the challenge to the requestingregistered device of the multiple registered devices over acommunication channel that is different from the data path; receive aresponse to the challenge from the requesting registered device of themultiple registered devices over the communication channel; and decrypt,based at least partly on the response, the authorization data to obtainan access key that is one of: a manager key that provides manageraccess, and a user key that provides user access.
 15. The data storagedevice of claim 14, wherein the challenge is based on the authorizationdata.
 16. The data storage device of claim 14, wherein the challenge isbased on a public key of the requesting registered device of themultiple registered devices.
 17. The data storage device of claim 2,wherein the access controller is further configured to encrypt thecryptographic keys to generate the authorization data.
 18. The datastorage device of claim 17, wherein the access controller is furtherconfigured to perform the following steps for each authorization dataentry of the multiple authorization data entries: generate an ephemeralprivate key and a corresponding ephemeral public key; encrypt thecontent data cryptographic key based on the ephemeral private key and anunlocking public key corresponding to an unlocking private key stored onthe respective registered device; discard the ephemeral private key; andstore the ephemeral public key and the unlocking public key.
 19. Thedata storage device of claim 2, wherein the data storage device isconfigured to register with the host computer system as a block datastorage device.
 20. A data storage device comprising: means for storing,on a data store in the data storage device, multiple authorization dataentries, wherein: each authorization data entry of the multipleauthorization data entries is associated with a registered device ofmultiple registered devices; and the multiple authorization data entriescomprise authorization data indicative of cryptographic keys thatselectively provide user access or manager access for each registereddevice of the multiple registered devices; means for communicating witha requesting registered device of the multiple registered devices; meansfor selecting an authorization data entry that is associated with therequesting registered device; means for determining, using theauthorization data entry associated with the requesting registereddevice, a content data cryptographic key; and means for selectivelyproviding user access or manager access for the requesting registereddevice to unlock encrypted user content data from the data storagedevice for a host computer system.